|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Windows 2000 IPSEC with cluster
From: Dallas Bishoff (dallas_bishoff
HOTMAIL.COM)Date: Fri May 26 2000 - 06:45:18 CDT
- Next message: Russ: "FW: Microsoft Security Bulletin (MS00-036)"
- Previous message: WayneDiamondCS.com.au: "Latest wave of worms using hidden file-extensions"
- Maybe in reply to: Spinelli, Paolo: "Windows 2000 IPSEC with cluster"
- Maybe reply: Dallas Bishoff: "Re: Windows 2000 IPSEC with cluster"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Paolo:
This is a really good question, and I don't think alot of folks are going to
understand this initially. First, look at the W2K resource kit sections on
using clustering and load balance services for RRAS type communications, and
then look at the IP security sections. There are some interesting
guidelines and info there. The resource kit will tell you that it won't do
this.
The problem that I suspect your having, because it shows up in firewalls and
other security products is the cluster isn't managing the security
association state -- it isn't passing the encrypted keys between the cluster
environment. So if the primary system fails, the only way to get the IPsec
encrypted link back up is to re-create it.
You can get fail-over to work, I suspect with PPTP, but not IPsec yet.
You're also going to find that the IPsec implementation in W2K is sensitive
(probably won't work) with NAT, and the while W2K has the ability to be
fully IPsec compliant it's not out of the box. Mutual tunnel authentication
is turned off by default, as is perfect forward secrecy (PFS) -- which saves
on computation demand.
You know, mutual tunnel authentication is one of the major differentiators
between IPsec and the beloved PPTP. I wish that Microsoft would honor the
intent of the IETF a little more. I like the idea of being able to disable
mutual tunnel authentication if it's not required, but I don't think that it
should be the default.
Hope that helps!!!
Dallas N. Bishoff
MCSE+I, MCT, CCA, ICE, CCSE,
Nokia Security Administrator,
RSA ACE/Server Engineer,
blah, blah, blah...
From: "Spinelli, Paolo" <Paolo.SpinelliCOMPAQ.COM>
Reply-To: "Spinelli, Paolo" <Paolo.SpinelliCOMPAQ.COM>
To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: Windows 2000 IPSEC with cluster
Date: Thu, 25 May 2000 16:02:14 +0100
HI All.
I'm experiencing problems using IPSEC within a clustered environment. Both
nodes have IPSecurity enabled. And IPSEC policy is "Require Security". I
applied same policy to the test client and everything is working well, but
if I force a fail-over I can't restablish a valid SA with the node owning
the failed resource. The only way I figured out is to modify (or simply
assign and unassign policy on the client). Does someone knows how to fix
this problem and why it occours ? Any Hint ?
Thanks,
Paolo
Paolo Spinelli
COMPAQ
Professional Services
e-mail: paolo.spinellicompaq.com
Tel: 02/66182588
Cell: 0335/6429339
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
- Next message: Russ: "FW: Microsoft Security Bulletin (MS00-036)"
- Previous message: WayneDiamondCS.com.au: "Latest wave of worms using hidden file-extensions"
- Maybe in reply to: Spinelli, Paolo: "Windows 2000 IPSEC with cluster"
- Maybe reply: Dallas Bishoff: "Re: Windows 2000 IPSEC with cluster"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]